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METHOD OF DETECTING ILLICIT MODIFICATIONS OF 
MANUFACTURER SOFTWARE 

The invention relates notably to a method making it possible to 
5 detect modifications and/or to avoid the modification of manufacturer 
software for GSM mobile (abbreviation of Global System Mobile), software 
embedded In a reprogrammable memory. 

It also relates to any system comprising a hard l<emel 
(nonmodifiabie hardware occurring in the form of an ASIC for example) and a 
10 soft kemel (comprising programmable security functions), for example a PC- 
type computer comprising a nonreprogrammable ASIC and an operating 
system. 

GSM mobile terminals are reprogrammable so as to make rt 

15 possible to upgrade the software versions of the services offered to users. 
Currently, access to the reprogramming functions is not sufficiently secure 
and certain users easily succeed in perfomiing software modifications so as 
to override the security functions integrated by manufacturers. Therefore, 
they falsify the operation of the terminals so as to access additional services 

20 or functions or to reuse stolen terminals. 

Current means of protection against Illicit software modifications 
are inadequate. Hackers fairiy rapidly succeed In finding the addresses of the 
programmable memories to be modified, so as to neutralize or sidestep the 
security mechanisms put in place by manufacturers. The objective of 

26 "hackers" Is to permit, without payment, access to the potentially available 
additional services and to override the access controls. 

The modifications are achievable via multiple channels (UART or 
Universal Asynchronous Receiver/Transmitter, USB or Universal Serial Bus, 
JTAG or Joint Test Action Group, etc.) or by direct modification ori the 

30 reprogrammable memory or FEPROM (Flash Erasable Programmable Read 
Only Memory), by hardware Integrity attack by desoldering - resofcfering, for 
example. 
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The current mode of startup of a GSM terminal in auto- 
configuration mode* by detection of specific signals, is a wealc mechanism 
which does not offer solid protection. 

The invention relates to a method making it possible to detect 
5 and/or to avoid the modification of software embedded in a programmable 
memory within a system comprising a hard l<emel containing hardware 
security functions suitable for verifying the integrity in particular of a soft 
Icemel comprising a programmable memory, the system comprising a local 
data Interface. It is characterized in that it comprises at least the following 
10 steps: 

A1 - the signal received on the local data interface Is not yaiid, place the 
system in a disabled state, 

B1 - the received signal is a disconnection signal on the local data internee, 
or there is no signal, instigate a secure startup procedure, with execution of 
15 the control ftjnctions: 

Auto test of the hard kernel: 

• if the auto test Is OK, then test the integrity of the reprogrammable 
memory, 

o If this integrity is OK, then activate the system for normal 
20 operation 

o If this Integrity is KO, then place the system in a disabled state 

• If the auto test is KO. then place the system in a disabled state, 
CI - the received signal is a valid startup signal, 

• If the system is in a development mode, render it enabled. 

25 • If the system is in an enabled utilization mode and if the signal is a test 
signal, then deactivate at least one of the essential functtons of 
enabled operation. 

The Invention also relates to a method making It possible to detect 
and/or to avoid illicit modifications of manufacturer software within a GSIVI* 
30 type system, comprising a hard kernel and a soft kernel, a local data 
interface, characterized in that it comprises at least the following steps: 
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A2 - the signal received on the local data Interface of the terminal is not 
valid, place the GSM terminal in a disabled state, 

B2 - the signal is a disconnection signal on the local data interface or there is 
no signal, instigate a secure startup procedure, with execution of the control 
5 functions: 

Auto test of the hard Icemel 

• If the auto test is OK, then test the integrity of the soft kernel 

• If this integrity is OK, then activate the terminal for normal 
operation, 

10 •If the integrity is KO, then place the terminal in a disabled 

state, 

• If the auto test is KO, then place the GSM terminal in a disabled state. 
C2 - the received signal is a valid startup signal: 

• If the fuse is not blown , render the GSM terminal enabled, 

15 •if the fuse is blown, render the terminal not totally enabled, by 
deactivating at least one of the enabled functions of the terminal: 
o If the signal is a signal of JTAG test type, continue the test 
procedure, 

o If the signal is a test signal, start up in nonsecure mode and 
20 continue the test procedure. 

The exchange of the data between the hard kemel and the soft 
kemel is for example performed by using an algorithm based on the principle 
of non-replay and of nonpredictabillty of the transmitted data. 

25 The invention also relates to a system making it possible to detect 

and/or to avoid the modification of software embedded in a programmable 
memory comprising a hard kernel containing hardware security functions and 
a soft kemel comprising a programmable memory, a local data interface able 
to receive signals. It Is characterized In that rt comprises means suitable to: 

30 > place the system in a disabled state when the signal received on a 
local data interface is not valid, 
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> for a disconnection signal received or absence of signal on a local 
data interface, instigate a secure startup procedure, with execution of 
control functions: 

Auto test of the hard kernel: 
5 •If the auto test is OK, then test the integrity of the programmable 
memory, 

o If this integrity is OK, then activate the system for normal 
operation 

o If this Integrity is KO, then place the system in a disabled state 
10 • If the auto test Is KO, then place the system In a disabled state, 

> For a received signal is a valid startup signal, 

• If the system Is in a development mode, render it enabled 

• If the system is in an enabled utilization mode, and if the signal is a 
test signal then deactivate one of the essential functions of enabled 

15 operation on startup. 

The system can comprise means of securing the data exchanges 
between the hard kernel and the soft kernel. 

The system can be a GSM terminal or a PC-type micro-computer 
20 or an MP3-type reader containing a reprogrammable memory. 



The method according to the invention presents In particular the 
following advantages. It takes account of the industrial process of productionp 
of cornmercialization and of maintenance. The adaptation of the principles of 
25 integrity (in the authenticity sense: origin and integrity), of the 
reprogrammable software and data Is distributed over hardwans devices 
integrated within an ASIC guaranteeing non-modification of the control 
mechanisms, associated with software security devices adaptebfe to the 
various software versions of GSM terminals for example. 
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Other characteristics and advantages of the invention will be more 
apparent on reading the description of an example given by way of wholly 
nonlimiting illustration together with appended figures which represent: 

• Figure 1 the functional components of a GSM mobile tenninal having 
an impact on access security, 

• Figure 2 the structure of the FEPROIVI. 

• Figure 3 three security levels considered during the startup of the 
GSM, 

• Figure 4 a diagram of the logic of the assembly, 

• Figure 5 an example of secure exchanges between components of the 
GSM terminal without shared secret. 

In order to better elucidate the principle of the method according to 
the invention, the example which follows Is given for a GSM system whose 
15 architecture is recalled in Figure 1. 

This Figure 1 represents the functional architecture of a GSM 
terminal structured as several modules. Only the modules having an impact 
on security are represented in this figure and are taken into account for the 
description. We distinguish a hardware component comprising the hard 
20 kernel and a software component comprising the soft kernel. The hard kernel 
corresponds to the hardware security functions which make it possible to 
verify the integrity of the tenninal during nonmal startup or to disable the GSM 
terminal in any other mode of operation. The soft kernel integrates the 
software security functions which ensure the security of the code loaded into 
26 FEPROM. The soft kernel is signed off line by a secret key, and its signature 
is verified during NORMAL startup by the hard kernel. Should It be noted that 
the integrity of the GSM terminal is compromised (loss of the Integrity of the 
soft kernel), the terminal becomes disabled for any startup mode until a new 
intact soft kernel is downloaded into the terminal. 
30 The two modules taken into account subsequently in the 

description are: 

the hardware component comprising: 



5 



10 
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• The LISTEN_SIGNAL module; 

• The DEACTIVATION .FUNCTION module; 

• The STARTUP module: 

• The HARD_KERNEL module or hardware security module. 
5 the software component comprising: 

• The SOFT_KERNEL module; or software security module; 

• The APPLICATIONS module. 

The APPLICATIONS module of the software component Is 

partially secure, it depends tightly on the security policy chosen by the 
10 manufacturer. 

These two comp)onents are detailed subsequently in the description. 
The description adopts the following terminology: 

VAR: a nonunderlined variable or state conveys its ACTIVE nature; 

VAR : an underlined variable or state conveys a NEGATION of its ACTIVE 
15 nature. 

Hardware component 

HARD^KERNEL 

The hard kernel contains the hardware security mechanisms 

which make It possible to verify Its proper operation and the integrity of the 
20 soft kemel and the mechanisms which make it possible to define the security 

policy to be applied as a function of the startup mode (JTAG, OTHER, 

NORMAL), and the phase of operation of the terminal. ASIC with blown or 

unblown bit. 

In view of security, the functionalities covered by the various 
25 modules of the hardware component are implemented as two versions of 
components: 

The FUSE NOT BLOWN Component (no activation of security 
mechanisms) which uses the following modules: 

• LISTEN^SIGNAL 
30 • FUSE 

• STARTUP nonsecure 
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The FUSE BLOWN Component which comprises two modes of 
operation according to the detection or non-detection of a signal on startup of 
the temiinat (LISTEN_SIGNAL Module) (signal obsen/ed at the level of the 
local data interface of the GSM terminal) 
5 • Absence of signal: secure startup mode (the terminal is enabled) 

LISTEN^SIGNAL 

FUSE 

STARTUP (SECURE) 

• Reception of a signal at the ievel of the focal data interface of the GSM 
10 terminal: activation of the SPLIT function (inhibiting of an essential 

function rendering the terminal disabled) 
LiSTEN_SIGNAL 
FUSE 

DEACTIVATION_FUNCTION (or SPLIT) 
15 STARTUP (NON-SECURE) 

USTEN^SIGNAL module 

This module makes it possible to know the type of signal received at the level 
of the local data interface of the GSM tenninaL It can involve a signal of type: 

• JTAG: test startup mode where the system Instigation component or 
20 BOOT is not woken up, the security part is hence not activated, 

• NORMAL: nominal mode of operation (no signal received on startup of 
the terminal) where the security is systematically activated when the 
bit is blown, 

• RESTART: reinitialization of the system in a stable state before cold 
25 restart with predefined parameters. 

• OTHER: startup mode corresponding to various TEST modes where 
the BOOT component Is woken up but the security part is not 
activated. 

The reception of a signal on the local data Interface of the GSM 
30 terminal must lead to the terminal being systematically toggled into a 
disabled mode if the fuse is blown, with deactivation of the keyboard, of the 
sound or of an essential function for example. 
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j : 

I DEACTIVATION^FUNCTION MODULE (or SPLIT) 

; This module makes it possible to render the terminal disabled by 

deactivating a function essential for the operation of the GSM terminal, for 
example the keyboard, the sound or other. This module is called the SPLIT 
5 MODULEforthesakeofslmplfficatfon of the figures. 
FUSE MODULE 

This module makes It possible to test the state of the fuse which 
corresponds: 

UNBLOWN, to the pre-sale development mode (development, debugging, 
10 etc), with the use of the ASIC version comprising an unblown fuse. 

BLOWN to the mode of utilization of the GSM tenminal, after placement in the 
sales circuit, with the use of the ASIC version comprising a blown fuse. 
STARTUP MODULE 

This module has in particular the function of activating the security 
15 policy as a function of the type of startup invoked and makes it possible to 
apply the security policy according to the state of the fuse and the presence 
or absence of a signal. 
PILOTMODULES 

This module makes it possible to load the FLASH pilots, for 
20 management of the l/Os, so as to read, write and execute in FEPROM. The 
LISTEN_SIGNAL and FUSE_BLOWN Hardware modules are buried in the 
ASIC component, it is not possible to listen to or Intercept the streams 
exchanged between the two components. 
Software component 
25 Figure 2 represents the structure of the FEPROM (abbreviation of 

Flash Programmable Read Only Memory) and its interaction with the hard 
kernel. 

SOFT^KERNEL MODULE 

The soft kernel is a application overiay which ensures in particular 
30 the security of the applications and of the sensitive data referenced in the list 
of sensitive elements to be protected. The security mechanisms of the soft 
kernel are implemented at the level of the FEPROM after execution of the 
hard kernel. 
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The modification of the soft l^ernel requires a phase of 
downloading of a new signed soft Icemel so that the latter is recognized as 
valid at the level of the hard l<emei. 
APPLICATIONS MODULE 
5 This module can employ security mechanisms, distributed in the 

whole code contained in FEPROM, whose main objective Is to detect any 
unscheduled modification of tlie integrity of the monitored sensitive code. The 
security mechanisms of this module are specific to the manufacturer 
functions integrated into the FEPROIVI. 
10 The idea of the invention relies in particular on the control of the 

downloading of software Into the FEPROIW. This securing is based on control 
of authenticity and of integrity of the software to be downloaded. 

For this purpose, the method tal<es Into account the complete life 
cycle of the terminals. This life cycle corresponds to the hardware and 
15 software development phases, integration, tests, validation, commissioning, 
utilization, investigatory tests in the event of malfunction, return for 
maintenance with possibility of performing direct modifications of the software 
code or patches, so as to make It possible to test and to validate the error 
corrections or the integration of upgrades. 
20 A part of the mechanisms proposed in the method according to the 

Invention is based on the use of signature mechanisms using a Hash and 
asymmetric encryption algorithm. This malces it possible in particular not to 
be constrained by the unforeseen disclosure of secret information. 
Specifically only the signatory possesses the secret key, the key allowing the 
25 authenticity and integrity controls is a public key. 

This signature operation is performed, for example, after validation 
of the software on a dedicated station before dissemination of the software to 
be downloaded. Only this station will know the secret signature key. This 
station will also have the capacity to generate the asymmetric key pairs in the 
30 event that renewal of the keys is required. 

The method according to the invention relates to the hardware 
security mechanisms taken into consideration when designing the mobile 
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terminal and also the security mechanisms to be added at the level of the 
software layer of the terminal. 

Hereinafter in the description two modes of operation are Involved: 
The NORIVIAL Mode : this mode makes it possible to activate the startup 
5 procedures for the ASIC of the GSM tenninal and to render the GSM terminal 
enabled, 

The TEST Mode : this mode makes It possible potentially to override the ASIC 

startup procedures (for example by using the JTAG interface) and to read 

and/or to write directly in FEPROM. 
10 Two operating states are envisaged for the commissioning of the security 

meciianisms according to the state of the fuse described hereafter. The state 

of the fuse corresponds to a specific ASIC version. 

Figure 3 shows diagrammatically various security levels which will 

be detailed in Figure 4 of the overall logic diagram. 
15 Three cases are to be considered during startup of the terminal, Figure 3: 

Fuse not blown, with or without signal 

This case relates to any type of startup with or without signal once the fuse is 

blown; the security mechanisms are not activated 

Signal and Fuse blown 
20 This case implements the activation of the SPLIT function 

No signal and Fuse blown 

Startup is secure 

No signal and fuse not blown 

Startup is not secure 
25 Figure 4 details the various steps implemented by the metliod 

according to the invention. 

The GSM terminal being in an off state, the method verifies 

whether it receives a signal on the local data Interface (external signal as 

opposed to the customary GSM turn-on). 
30 A2 - In the case where the received signal is not valid, then the method 

toggles the GSM terminal into a disabled state (action = turn-off). 

B2 - In the case where the GSM terminal does not receive any signal or 

receives a disconnection signal on the local data interface, we are in the 
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NORMAL mode -> turn-on in normal utilization mode. The method then 
instigates the secure startup procedure (alt the integrated security 
procedures are activated nomnally, in the event of noted attacl< of loss of 
integrity of the system, the terminal is no longer enabled). 
5 After turn-on, the method thereafter executes the control functions: 
Auto test of the hard kemei: 

• If the auto test Is OK, then the integrity of the soft kernel is tested 

• If this integrity is OK, then the tenminai can be activated for 
normal operation, 

10 •If the integrity is KO, then the GSM system is placed in 

disabled state. 

In this mode, the tenminai is able to detect an intrusion and hence to react 
to any modification of the sensitive areas. In the case of the detection of 
loss of integrity of the soft kernel, the GSM terminal executes the 
15 envisaged defense functions. 

• If the auto test of the hand kernel is KO, then the GSM terminal is 
placed in a disabled state. 

C2 - In the case where the GSM terminal receives a valid startup signal, the 
method executes the following steps: 
20 ♦ The fuse is not blown. Auto-configuration NOT BLOWN, no security 

function is implemented, the system is rendered enabled (on state, 

action standby). 

• The fuse is blown, Auto-configuration BLOWN, the terminal is 
rendered not totally enabled by using a SPLIT function, so 

25 o If the signal is a JTAG signal, the keyboard or the screen is 

deactivated before continuing the test procedure, 
o If the signal is another valid test signal, the keyboard or the 
screen is deactivated and a nonsecure startup procedure is 
instigated before continuing the test procedure. 
30 These two complementaiy and disjoint deactivation modes make it 

possible in particular to conduct all the test scenarios v\^thout the tennlnat 
being completely enabled. 
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It is possible, for example, to define a deactivation mode yNhere a 
user interface would be offloaded from the GSM terminal. 
For example, for a keyboard interface: 

• Test mode 1 : the tenninal is enabled but the keyboard is inactive. This 
5 mode requires the addition of a keyboard offloaded to the test 

machine. 

• Test mode 2: the keyboard is enabled - the radio pathway or any 
other function is inactive. 

Figure 5 shows diagrammatically the principles of securing of the 
10 message exchanges between the modules of the GSM terminal. 

The securing of the data exchanges is for example based on the 
principles of non-replay of the transmitted data and of nonpredictability of the 
dynamic data. 

It can be conceivable to implement one or the olher of the 
16 mechanisms at the level of the GSM terminal. The addition of a dynamic data 
item (temporal value or pseudo-random) to render the exclianges of 
messages dynamic so as to limit any attempt to replay an intercepted stream 
or to use pirated software. 

Component A can be the ASIC (where the HARD KERNEL is) and 
20 component B can be the FEEPROIVI (where the SOFT KERNEL is). The 

exchanges between A and B are then protected by the process described in 

Figure 5. SHA represents a "hash" function, XOR corresponds to an 

"exclusive or" operation, DYN corresponds to a random string. 

The messages exchanged are for example the following: 
25 1/ Generator of dynamic data (clock, pseudo-random) -> DYN 

From the ASIC A to the FEPROM 

2/ Dispatch of DYN 

3/ MSGi=SHA(DYN received) XOR (Question) 
from the FEPROM B to the ASIC A 
30 4/ Dispatch of MSGi 

5/ Question received = SHA(DYN) XOR(MSGl ) 

6/ Verification of the semantics of the question received 

7/ MSG2 = SHA(Question received, DYN) XOR ANSWER 
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from the ASIC A to the FEPROM B 
8/ Dispatch of MSG2 

9/ ANSWER^RECEIVED = MSG2 XOR S»A{Quesflon, DYN received) 

5 Without departing from the scope of the invention, the method also 

applies for detecting and/or avoiding illicit modificatrohs within a PC type 
system, comprising an ASIC (nonmodlflable hardware) and a memory space 
comprising a software layer to be protected. 

The method also applies in an MP3 type reader containing a 
10 reprogrammable memory, such as MP3 readers of USB key type. 
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